I need Authentik Help Please

Support
1

What happened?

I get a 500 error with the integration when I try to access verify.redacted.com .

What did you expect to happen?

The first step after successful install? I guess? I haven’t gotten that far!

How’d it happen?

  1. Tried my setup from the OIDC example on your site (Keycloaks one)
  2. Launched my site at https://verify.redacted.com
  3. Saw error `500 Internal Server error"

What’s your environment like?

Docker install on dedicated LXC via Proxmox Debian 12

  • Pomerium version (retrieve with pomerium --version):
  • Server Operating System/Architecture/Cloud:
    Debian 12 I assume the latest version as of about hours ago so I guess the current one as of 11/15/2023?

What’s your config.yaml?

# See detailed configuration settings: https://www.pomerium.com/docs/reference/

#####################################################################
# If self-hosting, use the localhost authenticate service URL below #
# and remove the hosted URL.                                        #
#####################################################################
# authenticate_service_url: https://authenticate.localhost.pomerium.io

authenticate_service_url: https://verify.example.com


###################################################################################
# If self-hosting, you must configure an identity provider.                        #
# See identity provider settings: https://www.pomerium.com/docs/identity-providers/#
####################################################################################

idp_provider: oidc
idp_provider_url: https://sso.redacted.com/if/flow/default-authentication-flow/
idp_client_id:  XXXXXXXXXXXXXXXXXXX
idp_client_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
idp_provider_scopes: openid,profile,email


# https://pomerium.com/reference/#routes
routes:
  - from: https://verify.redacted.com
    to: https://sso.redacted.com
    policy:
      - allow:
          or:
            - email:
                is: myemail@email.com
    pass_identity_headers: true

cookie_name: pomerium
cookie_secret: RwUs2sSLd2MX0Z52fo3Fk5lgaqDCZopOLPF6bee9k74=
cookie_domain: redacted.com
pomerium_debug: true

What did you see in the logs?

1:44AM INF authorize check allow=true allow-why-true=["pomerium-route"] check-request-id=7464cd22-d2ab-41fb-8b05-911c5fd2122c deny=false deny-why-false=[] email= host=verify.redacted.com ip=192.168.1.161 method=GET path=/.pomerium/ request-id=7464cd22-d2ab-41fb-8b05-911c5fd2122c service=authorize user=
1:44AM INF authenticate: session load error error="Bad Request: internal/sessions: session is not found" idp_id= ip=127.0.0.1 request-id=7464cd22-d2ab-41fb-8b05-911c5fd2122c user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
1:44AM ERR httputil: error error="failed to get sign in url: identity/oidc: could not connect to oidc: 404 Not Found: \n\n\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1\">\n<title>\nNode 815\n</title>\n<link rel=\"icon\" href=\"https://assets.redacted.com/logos/favicon.ico\">\n<link rel=\"shortcut icon\" href=\"https://assets.redacted.com/logos/favicon.ico\">\n<link rel=\"prefetch\" href=\"/static/dist/assets/images/flow_background.jpg\" />\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/static/dist/patternfly.min.css\">\n<script>\n    window.authentik = {\n        locale: \"en-us\",\n        config: JSON.parse(''),\n        tenant: JSON.parse(''),\n        versionFamily: \"\",\n        versionSubdomain: \"\",\n        build: \"\",\n    };\n    window.addEventListener(\"DOMContentLoaded\", () => {\n        \n    });\n</script>\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/static/dist/authentik.css\">\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/static/dist/theme-dark.css\" media=\"(prefers-color-scheme: dark)\">\n<link rel=\"stylesheet\" type=\"text/css\" href=\"/static/dist/custom.css\" data-inject>\n<script src=\"/static/dist/poly.js?version=2023.10.3\" type=\"module\"></script>\n<script src=\"/static/dist/standalone/loading/index.js?version=2023.10.3\" type=\"module\"></script>\n<style>\n:root {\n    --ak-flow-background: url(\"/static/dist/assets/images/flow_background.jpg\");\n    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);\n    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);\n    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);\n    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);\n    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);\n}\n/* Form with user */\n.form-control-static {\n    margin-top: var(--pf-global--spacer--sm);\n    display: flex;\n    align-items: center;\n    justify-content: space-between;\n}\n.form-control-static .avatar {\n    display: flex;\n    align-items: center;\n}\n.form-control-static img {\n    margin-right: var(--pf-global--spacer--xs);\n}\n.form-control-static a {\n    padding-top: var(--pf-global--spacer--xs);\n    padding-bottom: var(--pf-global--spacer--xs);\n    line-height: var(--pf-global--spacer--xl);\n}\n</style>\n<meta name=\"sentry-trace\" content=\"3ee678933fc3413bb2cd60c56d951204-9142fa83855b210f-1\" />\n</head>\n<body>\n<div class=\"pf-c-background-image\">\n<svg xmlns=\"http://www.w3.org/2000/svg\" class=\"pf-c-background-image__filter\" width=\"0\" height=\"0\">\n<filter id=\"image_overlay\">\n<feColorMatrix in=\"SourceGraphic\" type=\"matrix\" values=\"1.3 0 0 0 0 0 1.3 0 0 0 0 0 1.3 0 0 0 0 0 1 0\" />\n<feComponentTransfer color-interpolation-filters=\"sRGB\" result=\"duotone\">\n<feFuncR type=\"table\" tableValues=\"0.086274509803922 0.43921568627451\"></feFuncR>\n<feFuncG type=\"table\" tableValues=\"0.086274509803922 0.43921568627451\"></feFuncG>\n<feFuncB type=\"table\" tableValues=\"0.086274509803922 0.43921568627451\"></feFuncB>\n<feFuncA type=\"table\" tableValues=\"0 1\"></feFuncA>\n</feComponentTransfer>\n</filter>\n</svg>\n</div>\n<ak-message-container></ak-message-container>\n<div class=\"pf-c-login\">\n<div class=\"ak-login-container\">\n<header class=\"pf-c-login__header\">\n<div class=\"pf-c-brand ak-brand\">\n<img src=\"https://assets.redacted.com/logos/newlogo.png\" alt=\"authentik Logo\" />\n</div>\n</header>\n<main class=\"pf-c-login__main\">\n<header class=\"pf-c-login__main-header\">\n<h1 class=\"pf-c-title pf-m-3xl\">\nNot Found\n</h1>\n</header>\n<div class=\"pf-c-login__main-body\">\n<form method=\"POST\" class=\"pf-c-form\">\n<p></p>\n<a id=\"ak-back-home\" href=\"/\" class=\"pf-c-button pf-m-primary\">\nGo home\n</a>\n</form>\n</div>\n</main>\n<footer class=\"pf-c-login__footer\">\n<ul class=\"pf-c-list pf-m-inline\">\n<li>\n<a href=\"https://sso.redacted.com\">Return to Home</a>\n</li>\n<li>\n<a href=\"https://goauthentik.io?utm_source=authentik\">\nPowered by authentik\n</a>\n</li>\n</ul>\n</footer>\n</div>\n</div>\n<script>(function(){var js = \"window['__CF$cv$params']={r:'826c0bdfc9a169d4',t:'MTcwMDA5OTA0MS4yNzYwMDA='};_cpo=document.createElement('script');_cpo.nonce='',_cpo.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js',document.getElementsByTagName('head')[0].appendChild(_cpo);\";var _0xh = document.createElement('iframe');_0xh.height = 1;_0xh.width = 1;_0xh.style.position = 'absolute';_0xh.style.top = 0;_0xh.style.left = 0;_0xh.style.border = 'none';_0xh.style.visibility = 'hidden';document.body.appendChild(_0xh);function handler() {var _0xi = _0xh.contentDocument || _0xh.contentWindow.document;if (_0xi) {var _0xj = _0xi.createElement('script');_0xj.innerHTML = js;_0xi.getElementsByTagName('head')[0].appendChild(_0xj);}}if (document.readyState !== 'loading') {handler();} else if (window.addEventListener) {document.addEventListener('DOMContentLoaded', handler);} else {var prev = document.onreadystatechange || function () {};document.onreadystatechange = function (e) {prev(e);if (document.readyState !== 'loading') {document.onreadystatechange = prev;handler();}};}})();</script></body>\n</html>\n" ip=127.0.0.1 request-id=7464cd22-d2ab-41fb-8b05-911c5fd2122c status=500 status-text="Internal Server Error" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
1:44AM INF http-request authority=verify.redacted.com duration=37.048197 forwarded-for=12.34.56.78.91,192.168.1.161 method=GET path=/.pomerium/ referer= request-id=7464cd22-d2ab-41fb-8b05-911c5fd2122c response-code=500 response-code-details=via_upstream service=envoy size=667 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

Additional context

I am not sure what is happening here. I would appreciate someone’s working example (sanitized of course) if you have one so I can get this to work. Neither Pomerium, or Authentik have any examples to use. I’ve been hammering at this for a long time today so I’m sort of at Wits end to be so close but so far.

2

Hi there, we’re in the middle of releasing v24 so sorry for the delay.

From the logs, it looks like you are not providing the correct OpenID provider URL, which should be the root of the discoverable OpenID Connect “well known” endpoint.

Please check with Authentik if you have the correct value.

If that doesn’t fix it, please reach out again. (Note that next week is Thanksgiving)

3

Unfortunately Authentik has not been able to help, I’ve discussed it some with their Discord chat group. They sort of use a highly modified Oauth2-proxy for their reverse proxy, but I wanted to complement it with this as it seems likely that you will be able to provide a solution. In short, I happened upon your post about securing AdguardHome and that caught my attention as that’s what I’m trying to do with their software. Anyway, this lead me down the fun rabbit hole of trying this out. As for the providers, this is what I have and I’ve tried just about all of them except for the log out one. :slight_smile:

image
image910×630 42.9 KB

This is under the place I’ve been putting them:

# https://pomerium.com/reference/#routes
routes:
  - from: https://verify.redacted.com
    to: https://sso.redacted.com/if/flow/default-authentication-flow/     (This latest was suggested by a GPT LLM) last night while waiting for your approval and reply of the post.
    policy:
      - allow:
          or:
            - email:
                is: myemail@email.com
    pass_identity_headers: true

It always hits the same 500 error no matter the URL I select from the above for the “to: field” Always hitting the message:

3:41AM INF authenticate: session load error error="Bad Request: internal/sessions: session is not found" idp_id= ip=127.0.0.1 request-id=039156c5-63cc-49a9-aee5-45c36b15d328 user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
3:41AM ERR httputil: error error="identity: **unknown provider: OIDC**" ip=127.0.0.1 request-id=039156c5-63cc-49a9-aee5-45c36b15d328 status=500 status-text="Internal Server Error" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
3:41AM INF http-request authority=verify.redacted.com duration=9.930186 forwarded-for=50.39.217.134,192.168.1.161 method=GET path=/.pomerium/ referer= request-id=039156c5-63cc-49a9-aee5-45c36b15d328 response-code=500 response-code-details=via_upstream service=envoy size=669 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"

I hope all of this makes sense. The time stamp by the way is incorrect, it’s actually during 7pm when I captured the logs. I need to add the TZ variable I believe in the compose so it picks up the time correctly in the logs. I really don’t understand how it doesn’t recognize the provider OIDC. I assume this is an accepted provider based on the keycloak example.

The https://sso.redacted.com/if/flow/default-authentication-flow/ if you were to pull the true URL, would present you with my login screen for the Authentik, so I’m not 100% certain if that would be truely the case or not.

4

Hi @node815, can you try setting idp_provider_url to the “OpenID Configuration Issuer” URL from your screenshot above? So something like this:

idp_provider_url: https://sso.redacted.com/application/o/pomerium/

The individual route ‘to’ URL isn’t involved in the OIDC configuration. Instead ‘to’ should be the URL of the service you want Pomerium to proxy user requests to, after authentication. (You could substitute to: https://verify.pomerium.com/ for testing purposes – this is a public instance of the verify app.)

5

This also needs to be set to a different URL. Something like https://authenticate.redacted.com.

6

It shouldn’t be verify.redacted.com? I just want to make sure. (Verify.redacted.com is the Pomerium URL with https in front)

By pointing it to my sso domain which is sso.redacted.com it returns:

image
image650×590 8.03 KB

When going to verify.redacted.com with this method. I changed it to the verify.redacted.com (Pomeriums) which kept me at my SSO page but this time the login as I would expect. PROGRESS!

Logged in, got the consent screen so I consented and Landed on the 500 error:

6:49PM INF http-request authority=verify.redacted.com duration=164.91422 forwarded-for=12.34.567.89.10,192.168.1.161 method=GET path=/oauth2/callback referer= request-id=4ec322aa-bd50-4978-915e-90fdb985d002 response-code=500 response-code-details=via_upstream service=envoy size=665 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"

More progress! So close but so far I think.

7

Alright, I’m stopping here as I think this is the problem perhaps:

ERR httputil: error error="authenticate.OAuthCallback: error redeeming authenticate code: identity/oidc: failed getting id_token: oidc: id token signed with unsupported algorithm, expected [\"**RS256**\"] **got** \"**HS256**\"" ip=127.0.0.1 request-id=ce025a44-6fe6-4e84-adb0-4a2730e073c4 status=500 status-text="Internal Server Error" user_agent="Mozilla

How do I set the correct algorithm it sends in the config.yaml?

So I lied about stopping. haha

I consulted Authentik’s discord got the RS256 vs HS256 resolved.

So, this issue is resolved I finally got it to print out my User Details in Pomerium, so I guess it’s time to read up on the rest of how your app works. Marking this as solved.

1 Like
8

Hi @node815, I’m glad you’ve got your setup working.

Just to clear up any potential confusion: the authenticate_service_url is a URL that is served by Pomerium. Your DNS should be configured so that this URL resolves to the Pomerium service. It should not point to Authentik.

You should also be sure to choose a URL that is different than any of the route URLs you want to use with Pomerium.

9

No worries, I got it working with both AdguardDNSHome and my router’s login so both services I wanted to put behind Authentik are squared away!